It is not uncommon for many e-commerce type sites to store customer credit card data for ease of transaction history and auditing purposes. This is unfortunately the exact type of information a thief is looking for. It is equally unfortunate that it is yet another thing we testers have to keep in mind when verifying these systems.

It is not completely hopeless though. The Payment Card Industry (PCI) (Visa, Mastercard, American Express and JCB) has what it calls the Data Security Standards (DSS). Consider this to by your oracle when testing card data. Lifted from the Wikipedia PCI DSS page, the high-level objectives and requirements are:

  1. Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Each of the requirements are flushed out in the Official PCI DSS Standard which is a free pdf.

So does this apply to you? If you store, process or transmit the PAN (Primary Account Number) then it certainly does. If you use a branded payment gateway you might be off the hook. If the PCI finds that this does apply to you and you are out of compliance, you might be in for some surcharges, fines and excess liability in the event of a breach.

Heck, if they do not apply to you now, they might later so you might as well start implementing parts of it. You could do far worse from a security perspective.